[OpenAFS] More questions about the re-keying document

Benjamin Kaduk kaduk@MIT.EDU
Thu, 25 Jul 2013 19:35:34 -0400 (EDT)

On Thu, 25 Jul 2013, Benjamin Kaduk wrote:

> There's another MIT-specific reason to not include a DES key in the 
> rxkad.keytab, namely that the MIT KDC does not set requires_preauth on new 
> principals by default.  This means that if there's a DES key in the KDB, an 
> unauthenticated attacker can make an AS_REQ with the afs principal as the 
> "client principal", and claim to only support des-cbc-crc.  Since 
> preauthentication is not required, the KDC will create an AS_REP and use the 
> DES key from the KDB to encrypt the reply.  Now the attacker has a 
> plaintext/ciphertext pair with which to mount an offline brute force attack.

I should note that just setting the requires_preauth flag on the afs 
service principal to prevent this attack is not a good idea. 
Unfortunately, the same flag is used to indicate different things when a 
principal is acting as a client and when it is acting as a server.  Here, 
we want the client behavior, requiring preauthentication before initial 
credentials are granted.  The service behavior is that the flag causes the 
KDC to require clients to present credentials which were obtained using 
preauthentication, before the KDC will issue a service ticket for this 
service principal.  If the afs service principal does not have the flag 
set, it is likely that user principals do not as well, so in effect users 
will be locked out of accessing AFS.